From: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
---|---|
To: | soufiane(dot)boussali(at)efet(dot)ac(dot)ma |
Cc: | "pgsql-bugs(at)postgresql(dot)org" <pgsql-bugs(at)postgresql(dot)org> |
Subject: | Re: BUG #14090: Some installations of Postgres 8 and 9 are configured to allow loading external scripting languages. |
Date: | 2016-04-18 19:08:47 |
Message-ID: | CAKFQuwZGg31o=1L8ZsntR6X7-27Nx2-6Mkh_1SxLD4fHByMeaA@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
On Sat, Apr 16, 2016 at 4:38 AM, <soufiane(dot)boussali(at)efet(dot)ac(dot)ma> wrote:
> The following bug has been logged on the website:
>
> Bug reference: 14090
> Logged by: Soufiane Boussali
> Email address: soufiane(dot)boussali(at)efet(dot)ac(dot)ma
> PostgreSQL version: 9.5.2
> Operating system: Mac Os
> Description:
> [...]
>
> Some installations of Postgres 8 and 9 are configured to allow
> loading external scripting languages.
> Most commonly this is Perl and Python. When enabled, command
> execution is possible on the host.
> To execute system commands, loading the "untrusted" version of the
> language is necessary.
> This requires a superuser. This is usually postgres. The execution
> should be platform-agnostic,
> and has been tested on OS X, Windows, and Linux.
>
> This module attempts to load Perl or Python to execute system
> commands. As this dynamically loads
> a scripting language to execute commands, it is not necessary to
> drop a file on the filesystem.
>
That's why they are "untrusted"...and if being superuser is a requirement
then it isn't really an exploit now, is it?
For reference PostgreSQL version numbering requires two digits separate by
a period. Version 8 and version 9 are incomplete identifiers as they lack
the second digit. All versions beginning with 8 are also no longer
supported.
I could not follow the code so my only real guide for complaint/intent is
the description which I've quoted.
David J.
From | Date | Subject | |
---|---|---|---|
Next Message | Alvaro Herrera | 2016-04-18 19:09:42 | Re: BUG #14096: run pgbench, db crash |
Previous Message | Javier Mogetta | 2016-04-18 17:50:50 | Error instalación PostgreSQL 8.2 en Win10 |